North Korean Threat Actors Exploit LinkedIn for Malware Distribution

Published on September 9, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

Treat actors affiliated with North Korea have been seen deploying the COVERTCATCH malware through deceptive job recruitment schemes via LinkedIn, targeting developers in decentralized finance (DeFi) and the wider Web3 sector.

According to a report by Google-owned Mandiant, these attacks begin with social engineering methods utilizing LinkedIn to initiate contact under the guise of legitimate job offers. Once communication is established, the attackers send a ZIP file containing the COVERTCATCH malware disguised as a Python coding challenge. 

Upon execution, the malware compromises the target's macOS system by downloading a second-stage payload, ensuring persistence via Launch Agents and Launch Daemons.

LinkedIn Malware Scam Message
Image Source: Mandiant

COVERTCATCH is just one part of various North Korean operations, such as Operation Dream Job and Contagious Interview, which use job-related decoys to infect targets. These operations have previously employed other malware strains like RustBucket and KANDYKORN.

A notable incident involved a malicious PDF mimicking a job description for a VP role at a cryptocurrency exchange, which dropped RustBucket malware—a backdoor written in Rust capable of harvesting system information and maintaining persistence as a fake "Safari Update." 

Beyond social engineering, these threat actors have engaged in software supply chain attacks targeting entities like 3CX and JumpCloud. Once a foothold is established, they exploit password managers to steal credentials, conduct internal reconnaissance, and access cloud-hosted environments to exfiltrate crypto funds.

The FBI recently warned about North Korea's sophisticated social engineering campaigns targeting the cryptocurrency industry. These campaigns often involve impersonating known entities and extensive pre-operational research to craft personalized and credible scenarios that lure victims.

Numerous unsolicited messages, pretending to represent LinkedIn and others, are received by targets over apps such as WhatsApp in various countries worldwide.

In June, the FBI issued a warning about scammers promoting fake work-from-home jobs. The scammers pose as legitimate businesses, such as recruiting agencies, and usually contact victims via unsolicited calls or messages inviting them to rate restaurants or repeatedly click a button in exchange for attractive remuneration.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: